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Abstract. In this article we will discuss a new, mostly theoretical, method for 
solving (zero-dimensional) polynomial systems, which lies in between Grobner 
basis computations and the heuristic first fall degree assumption and is not 
based on any heuristic. This method relies on the new concept of last fall 
degree. 

Let fcbea finite field of cardinality q n and let k' be its subfield of cardinality 
q. Let T C k[X o,... ,Xm—i\ be a finite subset generating a zero-dimensional 
ideal. We give an upper bound of the last fall degree of the Weil descent 
system of J 7 , which depends on q , m, the last fall degree of J 7 , the degree of 
T and the number of solutions of J 7 , but not on n. This shows that such Weil 
descent systems can be solved efficiently if n grows. In particular, we apply 
these results for multi-HFE and essentially show that multi-HFE is insecure. 

Finally, we discuss that the degree of regularity (or last fall degree) of Weil 
descent systems coming from summation polynomials to solve the elliptic curve 
discrete logarithm problem might depend on n, since such systems without field 
equations are not zero-dimensional. 

1. Introduction 

Let k be a field and let T C R = k[X 0 ,... ,X m _ 1 ] be a finite subset. Let R<i 
be the set of polynomials in R of degree at most i. Suppose that we want to find 
the solutions of T in k . 

One of the most common methods is the following. First fix a monomial order on 
R , such as the degree reverse lexicographic order, and then compute a Grobner basis 
of the ideal generated by JF using for example F 4 or F$ m- Then one computes a 
Grobner basis for the lexicographic order using FGLM j5]. It is often very hard to 
estimate the complexity of such algorithms. The largest degree which one sees in 
such a computation of a Grobner basis for the degree reverse lexicographic order is 
called the degree of regularity, and this degree essentially determines the complexity 
of such algorithms. 

One approach to obtain heuristic complexity bounds is the use of the so-called 
first fall degree assumption. For i E Z>o, we let Vj be the smallest k-ve ctor space 
such that 

i. {/eJ: deg(/) < i} C 

ii. if g E Vjr , : and if h E R with deg (hg) < i, then hg E Vf.u 
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The first fall degree is defined to be the first d such that Vfl R<d-i ^ V^^-i 
(and if it does not exist, it is defined to be 0 ; note that this definition of the first 
fall degree differs slightly from most definitions as in jT5], but behaves a lot better). 
The heuristic claim is that the first fall degree is close to the degree of regularity for 
many systems (see for example US]). A quote from [5] is “Our conclusions rely on 
no heuristic assumptions beyond the standard assumption that the Grobner basis 
algorithms terminate at or shortly after the degree of regularity” (note that in [5j 
the definition of degree of regularity coincides with the first fall degree definition 
of OS])- It is quite often easy to give an upper bound on the first fall degree, just 
by counting arguments (see [5l for example). However, in [13], the second and third 
author of this article raise doubt to the first fall degree heuristic. 

In the first part of this article we will try to rectify the situation. We will define 
the notion of last fall degree (or maximal gap degree ), which is the largest d such 
that VjF,d D R<d -1 7 ^ Kr.d-i- We denote the last fall degree of T by d If T 
is zero-dimensional with at most e solutions over the algebraic closure of fc, we 
show how one can solve the system using Vf- tinax ^,e) and monovariate factoring 
algorithms (Proposition 12.81) . We will also prove different properties of the last fall 
degree, for example, that it is always bounded by the degree of regularity and that 
it behaves well with respect to certain operations (such as linear change of variables 
and linear change of equations). See Subsection 12.41 for a comparison with other 
methods for solving systems, most notably with MutantXL. 

In the second part of this article we will show one application of the last fall 
degree. Basically, if k is a finite field of cardinality q n and k' is its subfield of 
cardinality q, and T is zero-dimensional, then we show that the first fall degree of 
a Weil descent system of T to k does not depend on n. This generalizes practical 
and mathematical results, if rn = 1 [UOLQiH] ■ This shows that some versions of 
multi-HFE (HFE stands for hidden field equations) are much easier to tackle than 
one would expect. Let us now give a precise formulation of the main theorem. 

We denote by Z(T) the set of zeros of T over k. For r £ Z>o and c,t £ Z>i we 
set 

r(r,c,t) = max (\_2t(c — 1 ) (log c + l)J, o) . 

Note that this function increases when r increases. 

Theorem 1.1. Let k be a finite field of cardinality q n . Let J- C R be a finite 
subset. Let I be the ideal generated by T. Assume that the following hold: 

• I is zero-dimensional, say one has \Z(T)\ < s; 

• I is radical; 

• there is a coordinate t such that the projection map Z(T) —>• k to coordinate 
t is injective; 

Let T'f be the Weil descent system of J- to the subfield k' of cardinality q using some 
basis of k/k', together with the field equations (Subsection \3 . 1\) . Then one has 

djr' f < max (r(max(djr, deg(J r ), (to + l)s, 1 ), q, to), to • r( 2 s, q , 1 ), q). 

When to = 1, we obtain a slightly stronger version (Theorem 14.51) . 

In Section [G] we will explain why Theorem 11.11 is not useful to determine the 
complexity of solving systems coming from summation polynomials for the elliptic 
curve discrete logarithm problem. 


3 


Parts of the results in this article can be found in our paper m , which will be 
presented at Crypto 2015. In that paper however, we only restrict to the case when 
m = 1 and we leave out certain mathematical proofs. 

1.1. Organization of the paper. In Section [2] we discuss the last fall degree. 
We will also discuss how one can solve zero-dimensional systems using the last fall 
degree and we will compare this method with other methods. We also compare 
our methods with existing methods. In Section[3]we introduce Weil descent and an 
alternative version of Weil descent. Sectionals devoted to the proof of Theorem ll.il 
In this section we first discuss the relation between the two Weil descent systems. 
Then we study the monovariate case and deduce the result for the multivariate case 
from the monovariate case using projection polynomials. Finally, we discuss how 
one can generalize the main theorem. In Section [5] we discuss the relation with 
multi-HFE. In Section [G] we discuss why the results in this article are not directly 
useful for studying systems coming from summation polynomials for the elliptic 
curve discrete logarithm problem. 

2. Last fall degree 

In this section we introduce the notion of the last fall degree of a system of poly¬ 
nomials. This notion is a parameter for the complexity of solving the polynomial 
system, and is independent of any monomial order. Later, we will use this notion 
to study the complexity of Weil descent systems. 

Let k be a field and let R = k[X 0 ,... , X m _i] be a polynomial ring. Note that 
the affine group Aff m (fc) = k m xi GL m (fc) acts on R by affine change of variables. 
This action preserves the total degree. The set of polynomials of degree < i is 
denoted by R<i. 

Let T be a finite subset of R and let ICR be the ideal generated by T. We set 
deg(J r ) = max{deg(/) : / £ J 7 }. Furthermore, we set deg x . (J 7 ) = max{deg Y .(/) : 
/ e J 7 }. 

2.1. Constructible polynomials. 

Definition 2.1. For i £ Z> 0 , we let Vjr , : be the smallest fc-vector space such that 

i. T n R<i = {/ e T : deg(/) < *} C 

ii. if g £ Vj^ i and if h £ R with deg (hg) < i, then hg £ Vjrj. 

We set Vj^oo = /. For convenience, we set F^.-i = 0- 

If T is fixed, we just write Vi instead of Vjf^. Intuitively, Vi is the largest subset 
of / which can be constructed from T by doing operations of degree at most i. Note 
that Vi is a finite-dimensional fc-vector space of dimension 

( Tfl H - z \ 

. J < (m + iy. 

Notice that for any / £ /, there is an i £ Z>o such that f £ V. Phrased differently, 
we have I = V oc = Ui e z> 0 v i- 

Definition 2.2. For g, h £ R and i £ Z>o U {oo}. we write g =j^ t i h V g — h £ Vj^^. 
If T is fixed, we often write g =, h. We write g = h if g = x h , which means 
g-h£l. 
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Proposition 2.3. Let R,Q C R be finite subsets, i G Z>o, A G Aff m (fc) and k'/k 
a field extension. Then the following hold: 

i. Vj.t can be constructed in a number of field operations which is polynomial 
in (to + ifi and in the cardinality of T. 

ii. if T C.Q, then Vjr.i C Vgj; 

iii. i/Span fe (.F) = Span fe (C/) and i > deg(.F), then V = Vg 

iv. one has AVj-j = Vat. it 

v. one has Vjr ti k' = P{/® fe i : C fe'[X 0 ,..., X m _i], 

Proof, i: One can construct the Vjrj using linear algebra as follows. Use a degree 
preserving ordered basis of R<i and use row echelon forms to construct the Vjj. 
ii, iii,v: Follows directly from the definitions. 

iv: Follows because the action of Aff m (fc) respects degrees. □ 

Remark 2.4. Let /i,/2,51,52 € R. Assume /1 =,; / 2 , 51 = 7 - 52. Assume that 
deg(/i) < i and deg(5 2 ) < j. Then one has 

/i5i - /252 = /i(5i - 52 ) + 52(/1 - h) € Ui+j. 

Hence we have /151 = i+J - / 2 5 2 . 

2.2. Last fall degree. We now define the last fall degree. 

Definition 2.5. Let J 7 be a finite subset of i? and let / be the ideal generated by 
T. The minimal d G Z>o LI { 00 } such that for all / G / we have / G U m ax(d,deg(/)), 
is called the last fall degree of T, and is denoted by dj=. 

Note that the above definition implies that for i > d jr, one has Vj:,i = I D R<i- 
We will now state some of the properties of the last fall degree. 

Proposition 2.6. Let T, Q C R be finite subsets which generate ideals I respectively 
J. Let A G Aff m (fc) and k'/k be a field extension. The following hold. 

i. One has: djr G Z>o- 

ii. Let B be a Grobner basis with respect to some degree refining monomial 
order on R. Then there is an integer c G Z>o such that B C Vt,c and one 
has djr < c. 

iii. One has: djr is the largest c G Z>o such that V c n R< c - 1 ^ V c -i- 

iv. If Span fc (.F) = Span fc (fy), then one has max(djF, deg(J r )) = max(d 0 , deg(J 7 )). 

v. One has: djr = dAT- 

vi. Consider the set {f® 1: / G J 7 } C k'[X 0 , ..., X m _i]. One has: d{/® 1: f^j} = 

djr. 

vii. If I = J and T C Q, then one has dg < djr. 

viii. If g G Vjrj, then one has djr < max(j, djFu{g})- 

Proof, i, ii: i follows from ii directly, since a Grobner basis always exists. It is easy 
to see that there is a c with B C Vjr. c . Take / G I and write / = ab ^ w ith 

deg(ab 6 ) < deg(/) for b G B. This is possible because B is a Grobner basis. Then 
one easily finds / G U m ax(de g (/),c)- 

iii: Let c be as in the property. By definition we have djr > c and furthermore 
we have 

V dr Fl R<djr -1 = I FI R<dj.-i ^ Vd T ~ i- 
iv: Follows directly from the definitions (Proposition 12 . 31 ii). 
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v: Follows from Proposition 12.3i v. 

vi, vii: Follows directly from the definitions. 

viii: Follows since Vjrj = Vjru{g}j if * > j. 

□ 

Note that property iv gives a nice interpretation of the last fall degree: it is the 
largest degree fall we need to completely get the ideal, hence the name (another 
name might be maximal gap degree, which is more in the spirit of the definition 
itself). In the next section, we show how one can solve a system once one knows the 
last fall degree. In heuristics, one often uses the notion of first fall degree, the first c 
such that V c r\R< c -i ^ V c ~\ to bound the complexity of Grobner basis algorithms. 
Actually, most articles, such as [15], use a slightly different definition of the first fall 
degree. They say that the first fall degree djrj is the first d > deg (J-) such that there 
exists gf € R for / G F such that d = max/ e jr(deg(g//)) and deg(J2f^jr 9ff) < d 
and Ylf£T9ff 7^ *-*• By definition we have djrj < djr if djr > deg(-F) and djr > 0. 
We do not think that the first fall degree is the right notion for the complexity 
of such algorithms (see also m- We will derive complexity bounds for solving 
systems based on the last fall degree. 

Property ii in combination with iii gives a method (using a monomial order and 
a Grobner basis computation) to compute the last fall degree. It would be of great 
importance to find a method which does not use a monomial order. 

Remark 2.7. Let J 7 be a finite subset of R. It is in general not true that Vjr .d T 
generates the same ideal as F. For example, if m = 1 and F = {/} with / not 
constant, then one has djr = 0, whereas Vj- 0 does not generate (/). 

2.3. Solving systems. We will now discuss how one can solve a multivariate zero¬ 
dimensional system once the last fall degree is known. 

Proposition 2.8. Let k be a field. Assume that one can factor a polynomial of 
degree at most t using a number of field equations which is polynomial in g(t) where 
g is some function. Let F C R be a finite set. Assume that the ideal I generated by 
F is radical and that the system has at most e solutions over k. Set d = max((ij, e). 
Then one can find all solutions of I in k in a number of field operations which is 
polynomial in the cardinality of F, g{d) and (m + d) d . 

Proof. Compute Vj with a number of field operations polynomial in the input size 
of J- and (m + d) d ("Proposition 12.31 ). We will work in Vj to find all the solutions. 
Assume that all solutions over k of the system are 

Z{F) = {(ao,o, •• ■ ,oo ,m— 1 ),..., (a t , o, ■ ■ ■ ,a t ,m—l )} c k m 

with t < e. Since I is a radical ideal, by the Nullstellensatz and Galois theory, one 
has 

ho = ]^[ (Wo — a) € I. 

Using linear algebra, and the definition of the last fall degree, one can find ho as 
the nonzero polynomial of minimal degree g?o in Vd D Span fc {l, Wo,..., Wg}. Factor 
ho with a number of operations polynomial in g{t). Assume that ao is a root of ho 
in k. We will find all solutions over k with A'o = ao- Set h' 0 = /iq/(Wq — ao) of 
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degree do — 1. By the Nullstellensatz and Galois theory, one has 
hi = h' 0 (Xi -a) el. 

Using linear algebra, one finds hi as the polynomial of minimal degree d\ in Vd D 
Span fc {ho, • ■ • >^i do+1 h' 0 }. Factor hi/h' 0 over k. Pick a solution ai over k 

and find all solutions with Xq = ao, Xi = ai using the similar recursive procedure. 
Hence one can find all solutions over k with the claimed number of field operations. 

□ 

If A; is a finite field of cardinality q , one can factor a polynomial of degree 
bounded by t with operations polynomial in max(log(( 7 ), t) in a probabilistic way 
and max(< 7 , t) in a deterministic way [16] . 

2.4. Comparison. In this subsection we will compare the above approach of solv¬ 
ing a system T with other methods. 

The construction of the Vi above is quite similar to operations done using algo¬ 
rithms like XL (see for example 0), although we ‘use’ relations which cause the 
degree to fall (see for example MutantXL, 0)- Our method for solving the system 
itself (Proposition 12.81) is more in the spirit of using a lexicographic order to solve 
the system. 

Given a system T 1 in practice, one often does not know djr. One can then solve 
the system by increasing i and computing the V, until one has the right projection 
polynomials as in the proof of Proposition [IDS This is the main idea of MutantXL 
(see [2]). 

From a complexity point of view, the last fall degree also shows that under 
certain circumstances MutantXL (or the above described method) is faster than the 
standard Grobner basis methods. Indeed, suppose that the system T has s < djr 
solutions. Then one can solve the system by looking at Vd^ fProposition l2.8D . Note 
that djr is not more than the degree needed to compute a Grobner basis for any 
monomial order (Proposition [2T6}.i). Hence the new algorithm might terminate at 
a lower degree than a Grobner basis algorithm. If this happens, this usually means 
that the MutantXL approach is faster. 

From a practical point of view, we did not really address how to construct the 
Vi as efficiently as possible. To construct these V, in an efficient way, one has to 
try to keep matrices as sparse as possible and do as few as possible reductions. 
Algorithms such as iq, F$ IE] or MutantXL 121 should help to achieve this. 

We hope that the framework with the last fall degree allows one to prove com¬ 
plexity statements of solving certain systems. Our framework has the advantage 
that it behaves well with respect to various operations ('Proposition ^. 61) and that we 
do not use a monomial order. For example, it allows us to compare the last fall de¬ 
gree of a system before and after Weil descent, without using heuristic assumptions 
(Theorem 11.11) . 


3. Weil descent 

Let q be a prime power. Let n e Z>i and let k be a finite field of cardinality q n . 
Let k' be the subfield of k of cardinality q. In this section, we introduce two Weil 
descent transforms for a finite subset of R = k[X o,..., X m -i]. 
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Let T C R be a finite set of polynomials. Suppose we want to find the common 
zeros of these polynomials in k. Let I be the ideal generated by 

Tf = T U {Xf — Xi : i = 0,..., m — 1}. 

3.1. Weil descent. Let ao> • ■ •, a n -i be a basis of k/k'. Write X, = YjZ o 

For / £ T and j = 0,.. . ,n — 1, we define [f]j £ k'[Xij,i = 0,..., to — 1, j = 

0 ,..., n - 1] by 

n—1 n—1 n—1 

a jXoj, ■ ■ ■ j OLjX m _i j) = (mod -XA — Xij, i = 0 ,..., 

j=o i=o j=o 

m - l,j = 0,... ,n - 1) 

where [f]j is chosen of minimal degree (so deg Xij ([f]k) < q — 1). The system 
F = {[fh ■ feF,j = o,...,n-i} 

is called the Weil descent system of J- with respect to ao,... ,a n -%. There is a 
bijection between the solutions over k (or k ) of Tj and the solutions over k' (or k ) 
of 

X'f = T' U {X« - X^ : i = 0,... ,m - 1, j = 0,... ,n - 1}. 

Note that the ideals generated by J 7 / and Tj are radical ideals. 

An interesting choice for the cq is a normal basis, that is, a basis with a* = 9 q 
for some 9 £ k. Such a basis always exists. 

Remark 3.1. A different choice of cti merely results in a linear change of the 
variables Xjj and a linear change of the polynomials [/]* and the field equa¬ 
tions X — X^. Indeed, if /3o, ■ • • is another basis, then we can write /?* = 

Y’j=g Cij a j and on = Yij=o dijPj- Let C = ( Cij)i,j be the corresponding matrix. 
One has: 

n—1 n— 1 n—1 n— 1 n—1 n—1 

/(y~l PjXoj, . . . , fdjXm-i j) = /(^] ctfc CjkXoj, . . . , CjfcA m _i j) 

j=0 j—0 /c—0 j—0 0 i=0 

n—1 

= ^ diag(C,..., C)[f]iCti 

i=0 

n—1 /n—1 \ 

= H diag(C, • • •, C) [/] * I (ij. 

j—0 \i=0 / 

If d is the last fall degree of with respect to the ct;, and d' with respect to the 
Pi, we conclude that deg(J 7 ') does not depend on the choice of basis and that 

max(d, deg(J 7/ ), q) = max(d / , deg(J 7/ ), q ). 

3.2. Another model for Weil descent. For practical reasons, we will often work 
with another model of Weil descent. 

Let S = k[Xij : i = 0,..., m — 1, j = 0,..., n — 1]. Let eo,..., e m _i £ Z>o- Let 
X^ 4 be the remainder of division of A® 4 by X? — Xj. Write e' = Yj=o e ijQ^ i R 



base q with e' ;j £ {0,1,..., q — 1}. We set 


m —1 m —1 

n A7* = n^ o "-^? n r 1 i €s. 

2=0 2=0 

We extend this definition ^-linearly for all polynomials in R. This gives a map 
R —>• S. We set 

T={7:f€R} 

and we set, where by convention Xj :n = X,®. 

Tf = T U {Xfj - Xi j+ 1 : i = 0,..., m - 1, j = 0,..., n - 1}. 

We let I be the ideal generated by J 7 /. Note that / is radical. 

There is a bijection between the zero set of I (over k or k) and that of / (over 
k or k). If for example Xi = a* £ k gives a zero of I, then (Woi ■ ■ ■, X t n _i) = 

(a*, af,..., a? ) gives a zero of /. 

We will now prove a couple of lemmas which will be useful later. 

Lemma 3.2. Let hi,h 2 £ R, g £ S. One has, where =,; is defined with respect to 

7f- _ _ _ 

i. hi T h 2 max(deg(fai),deg(/i 2 )) ^ 

ii. hi ■ h 2 =deg(W)+deg(M _ 

iii. There is ft. 3 £ i? with deg x . (/ 13 ) < q n such that g = deg ( g ) / 13 . 

Proof. One reduces to the case of monomials and the result then follows easily. □ 

Q j 

We have a morphism of fc-algebras ip : S —> I? which maps X^ to X,‘ . This 
map has the following properties. 

Lemma 3.3. Let h £ R. The following statements hold: 

i. ip(h) = h (mod Xf — Xi, i = 0,..., m — 1); 

ii. h £ I if and only if h £ I. 

Proof, i: Follows directly. 

ii: Let h £ I. We will show h £ I. One can write h = 57™ o* h(Xf — Xi) + 
T^/eJ 7 ®//- Modulo I we find with Lemma |3.2t 

771—1 771 — 1 V 

h=J2 - Xi) + Wo - *«,) + £ off = 0. 

i=o /e.7 7 i=o /e.7 7 

Conversely, let h £ R and assume h £ I. Write h = YTjZo °ii{Xij — 

Xi j+ 1 ) + J2fer b ff- 0ne finds > using i, 

771—1 71—1 

V(h) = EE ‘ P(cij)<fi(Xl '• - Xi i+1 ) + E wm/) 

i=o j =0 /eJ 7 

771—1 

= ^2 p(°i n-i)(X? -W) + EW)/ (mod X? — Aj, i = 0,...,n — 1). 

*=o feF 

We conclude p{h) £ J. □ 
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3.2.1. Degree bounds. 

Lemma 3.4. Let g £ R\k. Then one has 

deg (g) < L m(q - 1 ) ^log g (~~) + J ■ 

Proof. Let g £ k[X] \ k. Then one has 

deg (g) <{q- 1 ) (log g (deg( 5 )) + l). 

Let g £ R \ k. It is enough to prove the result for monomials. Assume that 
g = Xq° ■ ■ ■ X'ffpf. Then by the first part and the inequality of arithmetic and 
geometric means, one has 

m— 1 / m —1 \ 

deg( 5 ) < 1 ) (log ? (ai) + i) = (?- 1 ) (log^n «»)+ TO ) 

i =0 \ i =0 / 

< ( 9 - 1 ) ^l°g 9 (^Z] a ^ ) + mj =m( 9 -l) ^log 9 (^^) + l^ . 

□ 

Lemma 3.5. Let i £ Z> 0 . Set s = r(i , q, m). Then one has 

v ^ c 

Proof. Assume i > 0. Let f £ P non constant with deg(/) < i. Then Lemma [3~T1 
gives / £ Vy g . Assume g £ Vj- fy i, h £ R both non constant such that deg(gh) < i. 
Note that gh =y f deg(g)+deg(7I) 3^ by Lemma[372Ji. Then Lemma [3~T1 gives. together 
with the the inequality of arithmetic and geometric means, 

deg(gh) = deg (g) + deg(h) < m(q - 1 ) ^log ^(—^-) + 1 ^ 

+m{q - 1 ) (log,(^>) + l) 

< 2 m(q - 1 ) ( lo g(^) + ^ ■ 

The result then follows easily. □ 

4. Last fall degree and descent 

4.1. Relating the types of Weil descent. Let k be a finite field of cardinality 
q n and let k! be the subfield of k of cardinality q. Let P C R be a finite sub¬ 
set. We will now compare the systems P / and P'j with respect to a normal basis 

{9,9 q ,... ,9 q ™ of k/k'. We imitate a proof from Granboulan et al. [TUI Section 
4.2], 

Proposition 4.1. One has: 

ma x{dj7 > f , q, deg(P')) < ma x(d Tf , q, deg(P')) 
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Proof. Set 


G = {f, /V», Z 9 "" 1 : / S X} U {X«. - X* j+1 :» = 0,...,m-l, j = 0,..., n - 1}. 

Note that we have X/ C Q. Note furthermore that both sets generate the same 
ideal since 

J J - f ,00 J 

by Lemma Id.2i i. Hence we have dg < dy f (Proposition [23^i, vii). 

Since k/k' is a separable extension, the matrix ( 9 q )"J_: 0 is invertible. Consider 
the linear change of variables defined by 

n—1 

Y ii = Y 0 qj+kx ik- 

k =0 

By convention, we set Yij = Y t j ( mod . We first notice that the field equations of 
the two systems are the same up to a linear change of equations: 


n—1 


n—1 


= Y° q3 X i k + Y dq ' 

k—0 k'—0 

n—1 

= Y^ +k+ \ x l k -Xik). 


j+i+fc' 


Xik' 


k—0 


We claim: 

f ql (..., Yij, ...) = Y ° ql ' +L [f]k (mod X?. - Xij, i = 0,..., m - 1, j = 0,... ,n - 1). 


n—1 


k—0 


It is enough to prove the claim for / = c X i*> since both Weil descent models 


are additive. 

Let X X be the remainder of division of X ? 4 by X q — X,; and e' = ^"Cq 1 a ij ( J 3 
with a,ij £ { 0 , 1 ,..., q — 1 }. 

This gives modulo Y% — Yi j + \ 

m—1 n—1 

F(...,T y -,...)=c* ! n n ! ;?.r 

i =0 j —0 

Furthermore, modulo X q - — X,- 7 -, we have 


m—1 n—1 


a*ij q 


k =0 


(■ • •, e ° q x<fc,...) = c« n (y o q x ik) q e? =° 

i =0 k =0 
m—1n—1n—1 


= c 1 

i =0 j—0 k=0 

Thus we get the following equation from the above two identities modulo X q - — Xy, 
since [f] q k = [/]*: 


f‘> i (...,Y i j,...) = r\...,Yo qk Xik,...) = [Y eqk ifM = Y eqk+l if^- 


k—0 


\k=0 


k—0 
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In other words, there exist polynomials hfj £ S, such that 

n —1 

T 7 (■ ■ •, • • •) = E eqk+l [/I* + E >$(*« - *«)• 

A:—0 

One has deg(/ ?i ) = deg(/) = maxfc(deg([/]fc)) by [T2] Proposition 3.2]. Since 
{XL — X-ij : i = 0, ..., to — 1, j = 0,..., n — 1} forms a Grobner basis for any 

graded order, we conclude that deg(hy (XL — Xij )) < deg (f ql ). 

Hence we have shown that the systems Q and can be obtained from each other 
through a linear change of variables and a change of polynomials. From Proposition 
CUv ,v we conclude 

max(d^v , q , deg (J 7 ')) = ma x(dg, q, deg(-F')) < max(d^ / , q, deg(J r '))- 

□ 

4.2. GCD computations. Let q be a prime power and let k be a finite field of 
cardinality q n . Let T C k[X] be a finite set. Consider the Weil descent system 
Tf to the subfield of cardinality q. Define =j with respect to T /. For e £ Z>o 
with e = Yli O’iQ 1 i n base q 1 we set w(e) = For / = ^A&jX®, we set 

w(f) = ma x(w(i) : bi ^ 0). Note that w(f) > deg (/), with equality if deg (/) < q n . 
We start with a technical lemma. 

Lemma 4.2. Let h 2 £ k\X\ nonzero of degree d. Set u = r(2d, q, 1). Assume 
h .2 = u 0. Let hi £ fc[X]. Let /13 be the remainder of division of hi by h 2 . Then one 

has hi =max(u,u?(/ii)) b 3 . 

Proof. If d = 0, the result follows easily. Assume d > 0. 

Fix h 2 and write h -2 = XEo biX 1 where bd 7 ^ 0. Since taking remainders is 
additive, it suffices to prove the result for hi = X e . Let r e be the remainder of 
division of X e by h 2 . For g £ k[X) with deg(g) < d, one has deg(g) < u/2 (Lemma 
13.411 . In particular, we have deg(ry) < u/2. 

We will prove the following statements successively: 

i. for e £ {0,1,..., qd — 1}, we have X e = u rf; 

ii. if e, e' satisfy w(e ) + w(e') < u, X e = u ry and X e ' = u rv, then X e+e ' = u 

^e+e'5 _ 

iii. for e with w(e) < w, we have X e = u T2\ 

iv. One has X e =max(ii,'it;(e)) ^e* 

i: For e = 0,... ,d — 1, the remainder is X e itself and the result follows. One 
has rd = Y2i=o biX x and this gives X d = u r J. We continue by induction. 
Assume the statement holds for cases smaller than e and that e < qd — 1. We 
will prove the statement for e. Write r e -i = ^Z'jZo c j X ' ■ Note that r e is the 
remainder of division of Xr e -i by h 2 , which gives r e = c :i r :i+i ■ Note that 

e — 1 < qd — 2 = q los A d ^ +1 _ 2 . Hence we have (as d > 0, see also Lemma f3.41) : 

deg(X) + deg(X e_1 ) < 1 + [(q - 1) (logoff) + 2 ) - lj = [(q - 1 ) (log 9 (d) + 2)J < u. 
Using Lemma l3.2l and the induction hypothesis, we find 

d —1 d —1 

X^= U X- X^T = u X • — =„ ^2 C J X3+1 =u E WG+ 1 , 
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and this gives the required remainder. 

ii: Assume without loss of generality that w(e') < u/2. Then one has u > 
max(u>(e) + w(e'), deg(ry) + w(e'), deg(ry) + deg(rv)) and one has deg(r e r e /) < 
2d — 2 < qd — 1. Lemma T3. 2 1 and i give 

X e+e ' =u X e ■ X e ' = u n ■ X e ' =„ ry • ?V =« U7V =« r^+7- 


iii: Using ii and induction, we easily reduce to the case where e = q l . Note 
that q 1 = q ■ q 1 - 1 and that u > q. We can then apply ii and the proof follows by 
induction. 

iv: We prove this statement by induction on w(e) > u. Write e = e± + with 
u < w(e i) < w(e ), and w(e\) + w{e 2 ) = w(e). One has iLennna 13.21 and iii) 


A e —ma.x(ii,Mf(e)) X ei ■ X e2 — ma x(u,w(e)) ^e\ * A e2 
= max(u ) «j(e)) ' ^"e2 = max(ii,w(e)) ^*e- 


□ 


Proposition 4.3. Assume T = | f} with f nonzero. Set u = t( 2 deg( f ), q, 1) and 
set g = gcd(/, X- X). We have: g € V u . 

Proof. Let f\ be the remainder of division of X 9 " — X by /. By Lemma 14.21 we 
have /i = u 0. Let /2 be the remainder of division of / by f±. Similarly, we find 
/2 = u 0. Hence we can follow the Euclidean algorithm and we obtain g G V u . □ 

4.3. Last fall degree of Weil descent systems. For a finite subset T C R, we 
denote by Z{fF) the set of zeros of T over k. Let k" be a field extension of k. For 
i = 0 ,..., m — 1, we write 

(X^ x) £ k [ Xi \. 

x£{xi: 3(a;o,...,a; m -i)e.Z(.7 : ')nfc" rn } 

We write 71 ^jr for n i 

We are finally ready to prove the main theorem fTheorem ll.il) . 

Theorem 4.4. Let k be a finite field of cardinality q n . Let J- C R be a finite 
subset. Let I be the ideal generated by T. Assume that the following hold: 

• L is zero-dimensional, say one has |A(X)| < s; 

• I is radical; 

• there is a coordinate t such that the projection map Z(T) —>• k to coordinate 
t is injective; 

Let T'j be the Weil descent system of J- to the subfield k' of cardinality q using some 
basis of k/k', together with the field equations ( Subsection AS. 1\) . Then one has 

djn < max (r(max(djr, deg(J-"), (to + l)s, 1), q, to), to • r(2s, q , 1), q). 

Proof. We have djn < max(d^=^, q , r(deg(J r ), q , to)) by Proposition l4.ll Lemma l375l 
Remark 13.II and Proposition 12.61 v. v. Hence we will work with the alternative Weil 
descent system T /. 

Without loss of generality, we may assume that t = 0. We can then write 
Z (F) = {(a, 7 i(a),... , 7 m _i(a)) : a G k,ir 0 ^(a) = 0} 
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for some 7 i G fc[Xo] of degree < s by the Lagrange interpolation formula and by 
Galois theory. Indeed, we can just put 


ii= y Xi n 

x=(xo,...,x r n-i)€Z(J 7 ) (x' Q ,...,x' m _ 1 )E.Z(J 7 )\{x} 


Xp - x' 0 
Xo - x'o ' 


Note that gcd( 7 r 0 i _F, Xjj — X 0 ) = 7 To t j? t k and one also has 

Z(T) n k n = {(a, 71 (a),... , 7 m _i(a)) : a G k, 7 r 0 ,jF,fc(a) = 0}. 

Set ro = max(djF, s, 1). By definition we have 7 Ti t jr,Xj — 7 j G Vjr, r0 ) since I 
is radical. Set 77 = T(ro,q,m). By Lemma [3.51 we have 7 t 7 ;.+-, Xj — 7 , G V^ ri - 
Set r 2 = max(ri,r(2s, q, 1)). We have n 0 ,F,k,Tfj^F, Xj - 7 j G Vy? (for j = 
1,..., to — 1) by Proposition 14.31 
Now consider the system 

Q = {TTO.Jf.fe, 7 r l,.F, • ■ • , Km-l,?} u {Xi — 71 , ... , X m _i — 7m —l}• 

We have Q C Vy T , 2 . Let /' be the ideal generated by J - /. Note that I' is the same 
as the ideal generated by Q , because both ideals are radical and have the same zero 
set. We first bound dg. Let h G /'. One easily obtains 

h = g,deg(h) h 

for some h! G R with deg x .(h') < s using noyy and 717 .+ (« = — 1). 

Then one can replace Xi [i > 0) with 7 ,; and do reductions with TTo.r.k to make a 
polynomial in k[X 0 ] and conclude 

k =C/.max(deg(/i),(m+l)s) 0 - 

Hence we have dg < (to + l)s. 

Let h G S. We first claim that there is hi G R with deg x . (h\) < s and 

^ J 7 / ,max(deg(7i),m-r(2s,(j,l) , 12 ) ^ 1 ' 

We may assume that h is a monomial. By Lemma I3.21 ii. there is a /13 G f? with 
degjf. (/ 13 ) < q n with h =y } deg ^ h 3 . Note that h 3 can be chosen to be a monomial, 

say ft. 3 = Xq° ■ ■ ■ X^X\ ■ Set Wi = deg(Aj ai ). Without loss of generality, we may 
assume wq > w\ > ... > w m - 1 . Let j be maximal such that Wj > r(2s 1 q, 1). Let 
gi be the division of remainder of by 717 .+ (and by TTo.r.k if i = 0). By Lemma 
l4~2lfor i = 0 ,...,j we have 

= _ 77- 

^i —g f ,wi y 1 

and for * = j + 1 ,..., m — 1 we have 

v“* =— 777 

—g f ,T( 2 s, 9 ,i) 


xs° • ■ 


• X J =— 

7 —Qf,w 0 +...+Wj 


do • • -9j ■ 


We find (Remark 12.41) 
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We obtain by Lemma [3T2l i and Remark 12.41 

A 0 * A m —1 
—— —• v a J + l X^ a m-l 

90 ' " 9j ' -A-j+l ' ' ■ A m-1 
go ■ ■ * 9m —1 
90 9m— 1 * 

Let / be the ideal generated by J 7 /. Assume h £ I. By the above there is hi £ R 
with deg x .(hi) < s and 

^ •7 r /,max(deg(fr),m-T(2s,g,l),r'2) ^1* 

From Lemma HUH it follows that hi £ I'. We have hi £ Vg ) ( m +i) s by the above. 
From Lemma 1531 we have hi £ Vg T (( m+1 ) g q m y Hence we conclude: 

^ ^ / ,ma*(deg( fc ),r((m + l).,, > m), TO .r(2. 1 « Il l),r a ) 

where r 2 = max(r 1; t(2s, q, 1)) = max(r(max(djr, s , 1), q, m ), t(2s, g, 1)). Summa¬ 
rizing, this gives 

^ ^ ,max(deg(/i),r(max((m-j-l)s,(ZjF,l),(J,m) ,m-r(2s,g,l))' 

The result then follows. □ 

4.4. Possible improvements of the main theorem. In this subsection, we will 
discuss how one can improve Theorem 14.41 Our main goal is to obtain a result for 
which the last fall degree of a Weil descent system does not depend on n. 

If one reads the proof carefully, one notices that one can replace (m + l)s by 
m(s — 1) — 1 + (s — 1) = (to + l)(a — 1) — 1 if to > 1. For m = 1, one can prove 
a much simpler theorem using mostly Proposition 14.31 The result is the following 
statement. 

Theorem 4.5. Let k be a finite field of cardinality q n . Assume m = 1. Let T C R 
be a finite subset. Let d £ Z>o such that there 3f £ J- with 0 < deg(/) < d, and 
such that for all g £ T we have deg (g) < r(2d, g, 1). Let T'y be the Weil descent 
system of T to the subfield k' of cardinality q using some basis of k/k', together 
with the field equations (Subsection 1 3. II) . Then one has 

cIjf' < max(r(2d, q, 1), q). 

Proof. (Sketch) As in the proof of Theorem 14.41 we work with the system T /. 

Set u = r(2d,q,l) and set g = gcd(J r U {X qn — X}). Using Lemma 14751 and 
Proposition 14.31 one can prove g = u 0. 

Let h £ I. By Lemma I3.21 ii. one has h =deg (h) for some /i 2 £ k[X], Since 
/i 2 £ I, it follows from Lemma |3.31 i that /i 2 £ /. Hence /i 2 has remainder 0 when 
divided by g. From Lemma T4.21 we conclude 

^ — max(deg(fa),tt) ^2 = max(deg(/i),Tz) 0- 

This finishes the proof. □ 

One can also study the Weil descent of a system % which consists of J- and some 
polynomials in one of the variables of weight at most r(2s,g, 1) (such as linear 
subspace constraints). One can easily generalize as in Theorem 14.51 and exactly the 


^ J 7 /,max(deg(^),m-r(2s,q,l),r2) 

Tf ,max(deg(h),m-T( 2 s,g,l),r 2 ) 
Tf ,max(deg(h),m-r(2s,q , ,l),r2) 
J- f ,max(deg(^,),m-r(2s,<3',l),r2) 
This finishes the proof of the claim. 
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same result should hold (the extra polynomials do not play a role). We did not use 
this formulation, because it looks a bit more complex. 

The restriction that I is radical, can be removed by using some effective Null- 
stellensatz. 

Consider the condition which says that the projection to one coordinate should 
be injective. If one has upper bounds on the last fall degree of T U { 7 : 
i = 0,... ,m — 1} (this is a system with degree bounded by max(deg(J r ), s) in m 
variables), then one can give a similar result without the condition. Another way 
to remove this condition on the projection, is the following. We have the following 
lemma. 

Lemma 4.6. Let k be a field, n G Z>o and let v \,..., iy G k n be distinct. Assume 
that \k | > ( 2 ). Then there exists a matrix A G GL„(/c) such that the first coordinates 
Av 1 ,..., Av r are pairwise distinct. 

Proof. Assume that k is a finite field. Let q = |&|. It is equivalent to find y G k n such 
that (y,v 1 ),..., ( y , iy) are distinct, that is, such that for i ^ j one has (y, Vi — vf) 7 ^ 
0. There q n ~ l vectors y with (y,Vi — Vj) = 0. There are at least q n — if'^}q n ~ 1 
vectors which make none of the inner products zero. Hence if q n > (Qq n_1 , the 
result follows. The proof for an infinite field follows in a similar way. □ 

Hence by enlarging the field fc, and after applying some transformations, one can 
make sure the projection maps are injective (use Proposition 12.61) . There are some 
problems when doing this, but an approach along those lines might work. 

With our techniques it seems impossible to remove the condition that the system 
is zero-dimensional (see also Section [6]). 

5. Multi-HFE 

In this section we discuss the security of a multi-HFE system. Let us first 
describe the idea. The idea of HFE and multi-HFE is that it is easy to solve zero¬ 
dimensional systems with few variables, but it becomes harder when the number 
of variables increases. Using Weil descent, one can construct a system with a lot of 
variables from a system with only a few variables. 

Suppose we have a zero-dimensional system coming from a finite subset T C R 
where k is a finite field of cardinality q n with subfield k' of cardinality q. If the 
number of variables is small, then one should be able to find the solutions of the 
system in k easily with Grobner basis algorithms. Now consider the system T^ 
coming from a Weil descent to k' (in literature, people mostly considered systems 
which become quadratic after Weil descent (see for example my Let Q' be the 
system obtained from a random affine transformation of the variables and a ran¬ 
dom linear transformation of the polynomials themselves. This system looks very 
complicated, and it seems hard to find solutions for this system unless one knows 
the transformations. Theorem 14.41 together with the fact that the last fall degree 
is almost independent of the linear changes (Proposition 12.61) show that we can 
give an upper bound on the last fall degree of the Weil descent system Q' which 
does not depend on n. Since we can solve systems if we know the last fall degree 
(Proposition 12.81) . we can solve such systems quite efficiently. The dependence on 
n only comes from Proposition 12.81 

This shows that solving such Weil descent systems is much easier than expected 
and hence threatens the security of such schemes. 
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6 . Relation to ECDLP 

Let k be a finite field of cardinality q n and let k 1 be its subfield of cardinality 
q. Let / € R = k[Xo ,..., X m _i] with m > 2. It has been suggested (see for 
example [T5]) that the Weil descent system of {/} (or in general a polynomial system 
which need not be zero-dimensional) to k', the first fall degree is close to the degree 
of regularity, the largest degree reached during Grobner basis computation. An 
example of the Weil descent of a single polynomial comes from one of the approaches 
to solve the elliptic curve discrete logarithm problem using summation polynomials 
(see for example SI)- In this case the first fall degree does not depend on n and it 
is very tempting to adopt the first fall degree assumption as it leads to heuristically 
subexponential attack on the elliptic curve discrete logarithm problem over finite 
fields of small characteristics. However more recent works (see for example |13j ) 
have cast serious doubt on the first fall degree assumption. 

What we have shown in this paper is that to a large extent the last fall degree 
of the Weil descent system of a zero dimensional polynomial system is independent 
of n (Theorem 14.41) . This has enabled us to successfully solve HFE and multi- 
HFE systems with rigorously proven time complexity, as the underlying polynomial 
systems are zero dimensional. Unfortunately, the system coming from a single 
multivariate polynomial, without field equations, is not zero-dimensional and our 
approach using projection polynomials does not work fTheorem 14.4[) . The system 
only becomes zero-dimensional when we add the field equations. 

We do think that it is of great interest to study such systems coming from a 
single multivariate polynomial (or systems which are not zero-dimensional). We 
hope that this article is a step in the right direction. 

References 

[1] Bettale, L., Faugere, J.-C., and Perret, L. Cryptanalysis of HFE, multi-HFE and vari¬ 
ants for odd and even characteristic. Des. Codes Cryptogr. 69, 1 (2013), 1-52. 

[2] Buchmann, J. A., Ding, J., Mohamed, M. S. E., and Mohamed, W. S. A. E. Mutan- 
txl: Solving multivariate polynomial equations for cryptanalysis. In Symmetric Cryptography 
(Dagstuhl, Germany, 2009), H. Handschuh, S. Lucks, B. Preneel, and P. Rogaway, Eds., 
no. 09031 in Dagstuhl Seminar Proceedings, Schloss Dagstuhl - Leibniz-Zentrum fuer Infor- 
matik, Germany. 

[3] Courtois, N., Klimov, A., Patarin, J., and Shamir, A. Efficient algorithms for solv¬ 
ing overdefined systems of multivariate polynomial equations. In Proceedings of the 19th 
International Conference on Theory and Application of Cryptographic Techniques (Berlin, 
Heidelberg, 2000), EUROCRYPT’OO, Springer-Verlag, pp. 392-407. 

[4] Diem, C. On the discrete logarithm problem in elliptic curves. Compos. Math. If 7, 1 (2011), 
75-104. 

[5] Ding, J., and Hodges, T. J. Inverting HFE systems is quasi-polynomial for all fields. In 
Advances in cryptology — CRYPTO 2011, vol. 6841 of Lecture Notes in Comput. Sci. Springer, 
Heidelberg, 2011, pp. 724-742. 

[ 6 ] Faugere, J.-C. A new efficient algorithm for computing Grobner bases (P 4 ). J. Pure Appl. 
Algebra 139, 1-3 (1999), 61—88. Effective methods in algebraic geometry (Saint-Malo, 1998). 

[7] Faugere, J.-C. A new efficient algorithm for computing Grobner bases without reduction to 
zero (F 5 ). In Proceedings of the 2002 International Symposium on Symbolic and Algebraic 
Computation (2002), ACM, New York, pp. 75-83 (electronic). 

[ 8 ] Faugere, J. C., Gianni, P., Lazard, D., and Mora, T. Efficient computation of zero¬ 
dimensional Grobner bases by change of ordering. J. Symbolic Comput. 16, 4 (1993), 329-344. 

[9] Faugere, J.-C., AND Joux, A. Algebraic cryptanalysis of hidden field equation (HFE) cryp¬ 
tosystems using Grobner bases. In Advances in cryptology — CRYPTO 2003, vol. 2729 of 
Lecture Notes in Comput. Sci. Springer, Berlin, 2003, pp. 44—60. 


17 


[10] Granboulan, L., Joux, A., and Stern, J. Inverting hfe is quasipolynomial. In Advances 
in Cryptology - CRYPTO 2006, 26th Annual International Cryptology Conference (2006), 
vol. 4117 of Lecture Notes in Computer Science , Springer, pp. 345—356. 

[11] Huang, M.-D. A., Rosters, M., and Yeo, S. L. Last fall degree, HFE, and Weil descent 
attacks on ECDLP Cryptology ePrint Archive, Report 2015/573 , 2015 

[12] Rosters, M. Polynomial maps on vector spaces over a finite field. Finite Fields Appl. 31 
(2015), 1-7. 

[13] Rosters, M., and Yeo, S. L. Notes on summation polynomials. 
http://arxiv.org/abs/1503.08001, 2015. preprint. 

[14] Petit, C. Bounding HFE with SRA. http://wwwO.cs.ucl.ac .uk/staf f /c .petit/f iles/SRA_GB .pdf 
2013. preprint. 

[15] Petit, C., and Quisquater, J.-J. On polynomial systems arising from a Weil descent. In 
Advances in cryptology—ASIACRYPT 2012, vol. 7658 of Lecture Notes in Comput. Sci. 
Springer, Heidelberg, 2012, pp. 451-466. 

[16] VON ZUR Gathen, J., and Panario, D. Factoring polynomials over finite fields: a survey. J. 
Symbolic Comput. 31, 1-2 (2001), 3-17. Computational algebra and number theory (Milwau¬ 
kee, WI, 1996). 


